This attack consists in allow a user to alter/pass resource identifiers may enabled an attacker access or modify another any system resources protected

+

+

There are two conditions for this attack be realize, the first way is system resource identifier specified for an attacker; the second way is a attacker specifying a resource, take permission enough, thing that would not be possible.

+

+

Note: The resource injection attack involves resources stored on filesystem, like the path manipulation attack, even so they are separated by differenties categories, see path manipulation attack for more details this technique

+

+

+

+

+

==External references==

+

http://samate.nist.gov/SRD/view_testcase.php?login=Guest&tID=1734

+

http://cwe.mitre.org/data/definitions/99.html

+

http://capec.mitre.org/data/index.html#Definition

+

http://www.fortifysoftware.com/vulncat/

+

+

G. Hoglund and G. McGraw. Exploiting Software. Addison-Wesley, 2004.

+

+

+

+

+

==Examples ==

+

+

‘’Example 1’’

+

+

This is code is a java class whose is vulnerable to a resource injection:

+

1. #import java.io.*;

+

2.

+

3. #public class ResourceInjection {

+

4.

+

5. # private static void test() {

+

6.

+

7. # String fileName = null;

+

8. # int checkInteger = 0;

+

9. #

+

10. # try {

+

11. # BufferedReader inStream = new BufferedReader (

+

12. # new InputStreamReader(System.in) );

+

13. #

+

14. # System.out.print("Please enter a filename: ");

+

15. # fileName = inStream.readLine();

+

16. #

+

17. # } catch (IOException e) {

+

18. # System.out.println("IOException: " + e);

+

19. # return;

+

20. # }

+

21. #

+

22. # File myFile = new File("/var/tmp/" + fileName);

+

23. #

+

24. # if (myFile.delete())

+

25. # System.out.println ("deleted file");

+

26. #

+

27. #

+

28. # }

+

29. #

+

30. # public static void main(String[] args) {

+

31. # test();

+

32. # }

+

33. #}

+

Pay attention to line 15, the variable “fileName” received a name of file from user, in the line 22 is deleted a file whose has the name like a value of the “fileName”.

+

Suppose the user pass like parameter for “FileName” this value: “../../tomcat/conf/*.xml” the system will execute the operation with this file and to become inactive.

+

+

+

+

+

+

‘’Example 2’’

+

+

The following code uses a port number read from a CGI request to create a socket.

+

...

+

char* rPort = getenv("rPort");

+

...

+

serv_addr.sin_port = htons(atoi(rPort));

+

if (connect(sockfd,&serv_addr,sizeof(serv_addr)) < 0)

+

error("ERROR connecting");

+

...

+

+

The kind of content that may be dangerous depending to the kind of resource that the user specify on the input. For example, data containing special characters like “.”, “/”, “\” may be represent some dangerous when used in operations that interact with the filesystem. In the same way that data contains URLs may create remote connections

+

+

+

‘’Exampe 3’’

+

This java class used in a input from an HTTP request delete a file. The developer has not considered the possibility that an attacker modify a file name like ass "../../tomcat/conf/server.xml", which causes the application will not function

+

String rName = request.getParameter("reportName");

+

File rFile = new File("/usr/local/apfr/reports/" + rName);

+

...

+

rFile.delete();

+

________________________________________

+

+

‘’Example 4’’

+

This code uses a input file name from command line to specify which file to open end echo back to the user. If the user specify any soft link to the files, they can use the program to read the first party of any file on the system

Revision as of 13:23, 4 July 2007

Description

This attack consists in allow a user to alter/pass resource identifiers may enabled an attacker access or modify another any system resources protected

There are two conditions for this attack be realize, the first way is system resource identifier specified for an attacker; the second way is a attacker specifying a resource, take permission enough, thing that would not be possible.

Note: The resource injection attack involves resources stored on filesystem, like the path manipulation attack, even so they are separated by differenties categories, see path manipulation attack for more details this technique

The kind of content that may be dangerous depending to the kind of resource that the user specify on the input. For example, data containing special characters like “.”, “/”, “\” may be represent some dangerous when used in operations that interact with the filesystem. In the same way that data contains URLs may create remote connections

‘’Exampe 3’’
This java class used in a input from an HTTP request delete a file. The developer has not considered the possibility that an attacker modify a file name like ass "../../tomcat/conf/server.xml", which causes the application will not function
String rName = request.getParameter("reportName");
File rFile = new File("/usr/local/apfr/reports/" + rName);
...
rFile.delete();
________________________________________

‘’Example 4’’
This code uses a input file name from command line to specify which file to open end echo back to the user. If the user specify any soft link to the files, they can use the program to read the first party of any file on the system
C++ Example:
ifstream ifs(argv[0]);
string s;
ifs >> s;
cout << s;